Integrate Security Command Center with Google SecOps

Integration version: 14.0

This document explains how to integrate Security Command Center with Google Security Operations.

Before you begin

To integrate Security Command Center, you must complete the following steps:

Create a custom Identity and Access Management (IAM) role with the necessary permissions.
Configure authentication using one of the following options:
- JSON key
- Workload Identity (Recommended)

Create and configure an IAM role

To create and configure a custom IAM role for the integration, complete the following steps:

In the Google Cloud console, go to the IAM Roles page.

Go to Roles
Click Create role to create a custom role with permissions required for the integration.
Enter a Title, Description, and unique ID.
Set the Role Launch Stage to General Availability.
Add the following permissions to the created role:
- securitycenter.assets.list
- securitycenter.findings.list
- securitycenter.findings.setMute
- securitycenter.findings.setState
Click Create.

Configure authentication

To authenticate the integration, use a service account with a JSON key, or with a Workload Identity.

Authentication with a JSON key

This method uses a static JSON key file to authenticate the service account.

Create a service account

To authenticate using a JSON key, you must first create a service account:

In the Google Cloud console, navigate to IAM & Admin > Service accounts.
Select the project where you want to create the service account.
Click Create Service Account.

If you prefer to use an existing service account, select the service account you want to use and generate a JSON key.
Provide a name and description and click Create and Continue.
In the Grant this service account access to project step, add the custom role you created.
Click Done to finish creating the account.

Generate a JSON Key

Complete the following steps to generate the required JSON key file:

In the service accounts list, select the email address of the service account you created (or selected) to open its details.
Click the Keys tab.
Click Add Key > Create new key.
Select JSON as the key type and click Create.
The JSON key file downloads to your computer. Store this file securely and paste the entire contents of this file into User's Service Account when configuring the integration parameters.

Authentication with a Workload Identity (Recommended)

This method allows the integration to impersonate a service account without the need to handle long-lived secrets.

To configure a Workload Identity, complete the following steps:

In the Google Cloud console, go to IAM & Admin > Service accounts.
Select an existing service account or create a new one.
Grant the custom role you created to the service account.
Grant the Service Usage Consumer role to the service account. This permission is required to associate API usage with the project defined in the Quota Project ID.
Grant the Service Account Token Creator role to the service account.

This permission allows the integration to generate the short-lived credentials needed for authentication.
Note the Client Email of the service account and use this value in Workload Identity Email when configuring the integration parameters.

Integration parameters

The Security Command Center integration requires the following parameters:

Parameter	Description
`API Root`	Required. The API root of the Security Command Center instance.
`Organization ID`	Optional. The ID of the Google Cloud organization to use for scoping the Security Command Center integration queries.
`Project ID`	Optional. The Google Cloud project ID used to scope the Security Command Center instance queries.
`Quota Project ID`	Optional. The Google Cloud project ID used for API usage and billing purposes. Note: This parameter is mandatory if you are using the `Workload Identity Email` authentication method, which requires granting the `Service Usage Consumer` role to your service account.
`User's Service Account`	Optional. The full content of the service account key JSON file. Only use this parameter if you are authenticating using a JSON key.
`Workload Identity Email`	Optional. The client email address of your service account. Only use this parameter if you are authenticating using a Workload Identity. If you configure this parameter, you must also configure `Quota Project ID`.
`Verify SSL`	Required. If selected, the integration validates the SSL certificate when connecting to the Security Command Center server. Enabled by default.

For instructions about how to configure an integration in Google SecOps, see Configure integrations.

You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances.

Actions

For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action.

Get Finding Details

Use the Get Finding Details action to retrieve details about a finding in Security Command Center.

This action doesn't run on Google SecOps entities.

Action inputs

The Get Finding Details action requires the following parameters:

Parameter Description

Parameter	Description
`Finding Name`	Required. The full resource names of the findings to return details, in the format `organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID`. This parameter accepts multiple values as a comma-separated list.

Finding Name

Required.

The full resource names of the findings to return details, in the format organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID.

This parameter accepts multiple values as a comma-separated list.

Action outputs

The Get Finding Details action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

Case wall table

The Get Finding Details action can return the following table:

Table title: Finding Details

Table columns:

Category
State
Severity
Type

JSON result

The following example shows the JSON result output received when using the Get Finding Details action:

{
   {
      "finding_name": "organizations/ORGANIZATION_ID/sources/2678067631293752869/findings/hvX6WwbvFyBGqPbEs9WH9m",
      "finding": {
        "name": "organizations/ORGANIZATION_ID/sources/2678067631293752869/findings/hvX6WwbvFyBGqPbEs9WH9m",
        "parent": "organizations/ORGANIZATION_ID/sources/2678067631293752869",
        "resourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
        "state": "ACTIVE",
        "category": "Discovery: Service Account Self-Investigation",
        "sourceProperties": {
          "sourceId": {
            "projectNumber": "PROJECT_ID",
            "customerOrganizationNumber": "ORGANIZATION_ID"
          },
          "detectionCategory": {
            "technique": "discovery",
            "indicator": "audit_log",
            "ruleName": "iam_anomalous_behavior",
            "subRuleName": "service_account_gets_own_iam_policy"
          },
          "detectionPriority": "LOW",
          "affectedResources": [
            {
              "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID"
            }
          ],
          "evidence": [
            {
              "sourceLogId": {
                "projectId": "PROJECT_ID",
                "resourceContainer": "projects/PROJECT_ID",
                "timestamp": {
                  "seconds": "1622678907",
                  "nanos": 448368000
                },
                "insertId": "ID"
              }
            }
          ],
          "properties": {
            "serviceAccountGetsOwnIamPolicy": {
              "principalEmail": "prisma-cloud-serv@PROJECT_ID.iam.gserviceaccount.com",
              "projectId": "PROJECT_ID",
              "callerIp": "192.0.2.41",
              "callerUserAgent": "Redlock/GC-MDC/resource-manager/PROJECT_ID Google-API-Java-Client HTTP-Java-Client/1.34.0 (gzip),gzip(gfe)",
              "rawUserAgent": "Redlock/GC-MDC/resource-manager/PROJECT_ID Google-API-Java-Client HTTP-Java-Client/1.34.0 (gzip),gzip(gfe)"
            }
          },
          "contextUris": {
            "mitreUri": {
              "displayName": "Permission Groups Discovery: Cloud Groups",
              "url": "https://attack.mitre.org/techniques/ID/003/"
            },
            "cloudLoggingQueryUri": [
              {
                "displayName": "Cloud Logging Query Link",
                "url": "https://console.cloud.google.com/logs/query;query=timestamp%3D%222021-06-03T00:08:27.448368Z%22%0AinsertId%3D%22ID%22%0Aresource.labels.project_id%3D%22PROJECT_ID%22?project=PROJECT_ID"
              }
            ]
          }
        },
        "securityMarks": {
          "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID/securityMarks"
        },
        "eventTime": "2021-06-03T00:08:27.448Z",
        "createTime": "2021-06-03T00:08:31.074Z",
        "severity": "LOW",
        "canonicalName": "projects/PROJECT_ID/sources/SOURCE_ID/findings/FINDING_ID",
        "mute": "UNDEFINED",
        "findingClass": "THREAT",
        "mitreAttack": {
          "primaryTactic": "DISCOVERY",
          "primaryTechniques": [
            "PERMISSION_GROUPS_DISCOVERY",
            "CLOUD_GROUPS"
          ]
        }
      },
      "resource": {
        "name": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
        "projectName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
        "projectDisplayName": "PROJECT_ID",
        "parentName": "//cloudresourcemanager.googleapis.com/organizations/ORGANIZATION_ID",
        "parentDisplayName": "example.net",
        "type": "google.cloud.resourcemanager.Project",
        "displayName": "PROJECT_ID"
      }
    }
}

Output messages

The Get Finding Details action can return the following output messages:

Output message Message description

Output message	Message description
`Successfully returned details about the following findings in Security Command Center: FINDING_NAMES.` `Action wasn't able to find the following findings in Security Command Center: FINDING_NAMES.` `None of the provided findings were found in Security Command Center.`	The action succeeded.
`Error executing action "Get Finding Details". Reason: ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Successfully returned details about the following findings in Security Command Center: FINDING_NAMES.

Action wasn't able to find the following findings in Security Command Center: FINDING_NAMES.

None of the provided findings were found in Security Command Center.

The action succeeded.

Error executing action "Get Finding Details". Reason: ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Get Finding Details action:

Script result name	Value
`is_success`	`true` or `false`

List Asset Vulnerabilities

Use the List Asset Vulnerabilities action to list vulnerabilities related to entities in Security Command Center.

This action doesn't run on Google SecOps entities.

Action inputs

The List Asset Vulnerabilities action requires the following parameters:

Parameter	Description
`Asset Resource Names`	Required. A comma-separated list of the unique identifiers (full resource names) for the assets to retrieve data about.
`Timeframe`	Optional. The timeframe to search for the vulnerabilities or misconfigurations. The possible values are as follows: `Last Week` `Last Month` `Last Year` `All Time` The default value is `All Time`.
`Record Types`	Optional. The type of record to return. The possible values are as follows: `Vulnerabilities + Misconfigurations` `Vulnerabilities` `Misconfigurations` The default value is `Vulnerabilities + Misconfigurations`.
`Output Type`	Optional. The type of output to return in the JSON result for every asset. The possible values are as follows: `Statistics` `Data` `Statistics + Data` The default value is `Statistics`.
`Max Records To Return`	Optional. The maximum number of records to return for every record type. The default value is `100`.

Action outputs

The List Asset Vulnerabilities action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

Case wall table

The List Asset Vulnerabilities action can return the following tables:

Table title: ASSET_ID Vulnerabilities

Table columns:

Category
Description
Severity
Event Time
CVE

Table title: ASSET_ID Misconfigurations

Table columns:

Category
Description
Severity
Event Time
Recommendation

JSON result

The following example shows the JSON result output received when using the List Asset Vulnerabilities action:

{
   ."siemplify_asset_display_name":[1] [2]  ""
"vulnerabilities": {
        "statistics": {
            "critical": 1,
            "high": 1,
            "medium": 1,
            "low": 1,
            "undefined": 1
        },
        "data": [
            {
                "category": "CATEGORY"
                "description": "DESCRIPTION"
                "cve_id": "CVE_ID"
                "event_time": "EVENT_TIME"
                "related_references": "RELATED_REFERENCES"
                "severity": "SEVERITY"
            }
        ]
    },
    "misconfigurations": {
        "statistics": {
            "critical": 1,
            "high": 1,
            "medium": 1,
            "low": 1,
            "undefined": 1
        },
        "data": [
            {
                "category": "CATEGORY"
                "description": "DESCRIPTION"
                "recommendation": "RECOMMENDATION"
                "event_time": "EVENT_TIME"
                "severity": "SEVERITY"
            }
        ]
    },
}

Output messages

The List Asset Vulnerabilities action can return the following output messages:

Output message Message description

Output message	Message description
`Successfully returned related vulnerabilities and misconfigurations to the following entities in Security Command Center: ASSET_IDS.` `No vulnerabilities and misconfigurations were found to the following entities in Security Command Center: ASSET_IDS.` `No vulnerabilities and misconfigurations were found for the provided assets in Security Command Center.`	The action succeeded.
`Error executing action "List Asset Vulnerabilities". Reason: ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Successfully returned related vulnerabilities and misconfigurations to the following entities in Security Command Center: ASSET_IDS.

No vulnerabilities and misconfigurations were found to the following entities in Security Command Center: ASSET_IDS.

No vulnerabilities and misconfigurations were found for the provided assets in Security Command Center.

The action succeeded.

Error executing action "List Asset Vulnerabilities". Reason:
      ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the List Asset Vulnerabilities action:

Script result name	Value
`is_success`	`true` or `false`

Ping

Use the Ping action to test the connectivity to Security Command Center.

This action doesn't run on Google SecOps entities.

Action inputs

None.

Action outputs

The Ping action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Output messages	Available
Script result	Available

Output messages

The Ping action can return the following output messages:

Output message Message description

Successfully connected to the Security Command Center server with the provided connection parameters! The action succeeded.

Output message	Message description
`Successfully connected to the Security Command Center server with the provided connection parameters!`	The action succeeded.
`Failed to connect to the Security Command Center server! Error is ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Failed to connect to the Security Command Center server! Error
      is ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Ping action:

Script result name	Value
`is_success`	`true` or `false`

Update Finding

Use the Update Finding action to update an existing finding in Security Command Center.

This action doesn't run on Google SecOps entities.

Action inputs

The Update Finding action requires the following parameters:

Parameter Description

Parameter	Description
`Finding Name`	Required. The full resource names of the findings to return details, in the format `organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID`. This parameter accepts multiple values as a comma-separated list.
`Mute Status`	Optional. The mute status of the finding. The possible values are as follows: `Mute` `Unmute`
`State Status`	Optional. The state of the finding. The possible values are as follows: `Active` `Inactive`

Finding Name

Required.

The full resource names of the findings to return details, in the format organizations/ORGANIZATION_ID/sources/SOURCE_ID/findings/FINDING_ID.

This parameter accepts multiple values as a comma-separated list.

Mute Status

Optional.

The mute status of the finding.

The possible values are as follows:

Mute
Unmute

State Status

Optional.

The state of the finding.

The possible values are as follows:

Active
Inactive

Action outputs

The Update Finding action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Output messages	Available
Script result	Available

Output messages

The Update Finding action can return the following output messages:

Output message Message description

Output message	Message description
`Successfully updated the following findings in Security Command Center: FINDING_NAMES` `Action wasn't able to find the following findings in Security Command Center: FINDING_NAMES` `None of the provided findings were found in Security Command Center.`	The action succeeded.
`Error executing action "Update Finding". Reason: ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Successfully updated the following findings in Security Command Center: FINDING_NAMES

Action wasn't able to find the following findings in Security Command Center: FINDING_NAMES

None of the provided findings were found in Security Command Center.

The action succeeded.

Error executing action "Update Finding". Reason: ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Update Finding action:

Script result name	Value
`is_success`	`true` or `false`

Connectors

For more information about how to configure connectors in Google SecOps, see Ingest your data (connectors).

Security Command Center - Findings Connector

Use the Security Command Center - Findings Connector to retrieve information about findings from Security Command Center.

This connector supports filtering findings by category using the dynamic list.

Connector inputs

The Security Command Center - Findings Connector requires the following parameters:

Parameter	Description
`Product Field Name`	Required. The name of the field where the product name is stored. The product name primarily impacts mapping. To streamline and improve the mapping process for the connector, the default value resolves to a fallback value that is referenced from the code. Any invalid input for this parameter resolves to a fallback value by default. The default value is `Product Name`.
`Event Field Name`	Required. The name of the field that determines the event name (subtype).
`Environment Field Name`	Optional. The name of the field where the environment name is stored. If the environment field is missing, the connector uses the default value. The default value is `""`.
`Environment Regex Pattern`	Optional. A regular expression pattern to run on the value found in the `Environment Field Name` field. This parameter lets you manipulate the environment field using the regular expression logic. Use the default value `.*` to retrieve the required raw `Environment Field Name` value. If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment.
`PythonProcessTime`	Required. The timeout limit, in seconds, for the Python process that runs the current script. The default value is `180`.
`API Root`	Required. The API root of the Security Command Center instance.
`Organization ID`	Optional. The ID of the Google Cloud organization to use
`Project ID`	Optional. The Google Cloud project ID to use.
`Quota Project ID`	Optional. The Google Cloud project ID to use.
`User's Service Account`	Required. The full content of the service account key JSON file. Only use this parameter if you are authenticating using a JSON key.
`Workload Identity Email`	Optional. The client email address of your service account. Only use this parameter if you are authenticating using a Workload Identity. If you configure this parameter, you must also configure `Quota Project ID`.
`Finding Class Filter`	Optional. A comma-separated list of the types of security findings to include when ingesting data from the source. The possible values are as follows: `Threat` `Vulnerability` `Misconfiguration` `SCC_Error` `Observation` `Toxic Combination` `Chokepoint` If no value is provided, findings from all classes are ingested.
`Lowest Severity To Fetch`	Optional. The lowest severity of the alerts to retrieve. If you don't configure this parameter, the connector ingests alerts with all severity levels. The possible values are as follows: `Low` `Medium` `High` `Critical` If a finding with an undefined severity is assigned the `Fallback Severity` level, that finding is exempt from filtering by this parameter. If no value is provided, all severity types are ingested.
`Fallback Severity`	Optional. The severity level to assign to any ingested security finding without a defined or recognizable severity rating from the source. The possible values are as follows: `Low` `Medium` `High` `Critical` The default value is `Medium`.
`Max Hours Backwards`	Optional. The number of hours prior to now to retrieve findings. This parameter can apply to the initial connector iteration after you enable the connector for the first time, or the fallback value for an expired connector timestamp. The maximum value is `24`. The default value is `1`.
`Max Findings To Fetch`	Optional. The number of findings to process in every connector iteration. The maximum value is `1000`. The default value is `100`.
`Use dynamic list as a blacklist`	Required. If selected, the connector uses the dynamic list as a blocklist. Disabled by default.
`Verify SSL`	Required. If selected, the integration validates the SSL certificate when connecting to the Security Command Center server. Disabled by default.
`Proxy Server Address`	Optional. The address of the proxy server to use.
`Proxy Username`	Optional. The proxy username to authenticate with.
`Proxy Password`	Optional. The proxy password to authenticate with.

Need more help? Get answers from Community members and Google SecOps professionals.